rule Mal_BoxCaon_Jul_2021_1 {
   meta:
        description = "Detect the BoxCaon malware"
        author = "Arkbird_SOLG"
        reference1 = "https://research.checkpoint.com/2021/indigozebra-apt-continues-to-attack-central-asia-with-evolving-tools/"
        date = "2021-07-01"
        hash1 = "8be3b10406f690ae5cf46c1dba18cb9a1c75bf646defcc9cab81d40fe0e0cc1b"
        hash2 = "d0b88ab321a05fc94505620c9d02baec4cb1de7bb3b0067de4f8c0d3ba8548b2"
        tlp = "White"
        adversary = "IndigoZebra"
    strings:
        $s1 = { 7b 22 70 61 74 68 22 3a 20 22 25 73 22 2c 22 61 75 74 6f 72 65 6e 61 6d 65 22 3a 20 66 61 6c 73 65 7d }
        $s2 = { 7b 22 70 61 74 68 22 3a 20 22 25 73 22 2c 22 72 65 63 75 72 73 69 76 65 22 3a 20 66 61 6c 73 65 2c 22 69 6e 63 6c 75 64 65 5f 6d 65 64 69 61 5f 69 6e 66 6f 22 3a 20 66 61 6c 73 65 2c 22 69 6e 63 6c 75 64 65 5f 64 65 6c 65 74 65 64 22 3a 20 66 61 6c 73 65 2c 22 69 6e 63 6c 75 64 65 5f 68 61 73 5f 65 78 70 6c 69 63 69 74 5f 73 68 61 72 65 64 5f 6d 65 6d 62 65 72 73 22 3a 20 66 61 6c 73 65 2c 22 69 6e 63 6c 75 64 65 5f 6d 6f 75 6e 74 65 64 5f 66 6f 6c 64 65 72 73 22 3a 20 74 72 75 65 2c 22 69 6e 63 6c 75 64 65 5f 6e 6f 6e 5f 64 6f 77 6e 6c 6f 61 64 61 62 6c 65 5f 66 69 6c 65 73 22 3a 20 74 72 75 65 7d }
        $s3 = "api.dropboxapi.com" fullword ascii
        $s4 = { 22 70 61 74 68 5f 64 69 73 70 6c 61 79 22 3a 20 22 00 00 00 22 00 00 00 22 70 61 74 68 5f 64 69 73 70 6c 61 79 22 20 3a 20 22 00 00 0d 00 0a 00 44 00 72 00 6f 00 70 00 62 00 6f 00 78 00 2d 00 41 00 50 00 49 00 2d 00 41 00 72 00 67 00 3a 00 20 00 7b 00 22 00 70 00 61 00 74 00 68 00 22 00 3a 00 20 00 22 00 00 00 22 00 7d 00 0d 00 0a 00 00 00 00 00 7b 22 65 72 72 6f 72 5f 73 75 6d 6d 61 72 79 22 00 00 00 00 25 00 73 00 5c 00 25 00 73 00 00 00 7b 22 70 61 74 68 22 3a 20 22 25 73 22 }
        $s5 = "C:\\Users\\Public\\%d\\" fullword ascii
        $s6 = { 22 00 2c 00 22 00 6d 00 6f 00 64 00 65 00 22 00 3a 00 20 00 22 00 6f 00 76 00 65 00 72 00 77 00 72 00 69 00 74 00 65 00 22 00 2c 00 22 00 61 00 75 00 74 00 6f 00 72 00 65 00 6e 00 61 00 6d 00 65 00 22 00 3a 00 20 00 66 00 61 00 6c 00 73 00 65 00 2c 00 22 00 6d 00 75 00 74 00 65 00 22 00 3a 00 20 00 74 00 72 00 75 00 65 00 2c 00 22 00 73 00 74 00 72 00 69 00 63 00 74 00 5f 00 63 00 6f 00 6e 00 66 00 6c 00 69 00 63 00 74 00 22 00 3a 00 20 00 66 00 61 00 6c 00 73 00 65 00 7d 00 0d 00 0a 00 43 00 6f 00 6e 00 74 00 65 00 6e 00 74 00 2d 00 54 00 79 00 70 00 65 00 3a 00 20 00 61 00 70 00 70 00 6c 00 69 00 63 00 61 00 74 00 69 00 6f 00 6e 00 2f 00 6f 00 63 00 74 00 65 00 74 00 2d 00 73 00 74 00 72 00 65 00 61 00 6d }
        $s7 = { 25 73 2f [1-4] 2e 74 78 74 }
        $s8 = { 25 73 2f [1-4] 2d 25 30 34 64 25 30 32 64 25 30 32 64 25 30 32 64 25 30 32 64 25 30 32 64 2e 74 78 74 }
    condition:
        uint16(0) == 0x5a4d and filesize > 30KB and 6 of ($s*) 
}
